From 389c8550c91da0715c86972306f2015b2f000056 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 1 May 2024 08:04:00 -0600 Subject: [PATCH] Unifdef parser support for SELinux, AppArmor and Solaris privileges. --- plugins/sudoers/check.c | 15 +- plugins/sudoers/cvtsudoers_csv.c | 14 +- plugins/sudoers/cvtsudoers_json.c | 30 +- plugins/sudoers/cvtsudoers_ldif.c | 12 +- plugins/sudoers/cvtsudoers_merge.c | 8 +- plugins/sudoers/display.c | 14 +- plugins/sudoers/fmtsudoers.c | 8 +- plugins/sudoers/gram.c | 458 +++++++++++++---------------- plugins/sudoers/gram.y | 48 +-- plugins/sudoers/ldap_util.c | 14 +- plugins/sudoers/lookup.c | 8 +- plugins/sudoers/parse.h | 14 +- plugins/sudoers/policy.c | 20 +- plugins/sudoers/sudoers.h | 8 +- plugins/sudoers/sudoers_ctx_free.c | 8 +- plugins/sudoers/toke.c | 89 +++--- plugins/sudoers/toke.l | 23 +- 17 files changed, 267 insertions(+), 524 deletions(-) diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 4356dd1853..60f4ba70eb 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1993-1996,1998-2005, 2007-2018 + * Copyright (c) 1993-1996,1998-2005, 2007-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -139,16 +139,9 @@ check_user(struct sudoers_context *ctx, unsigned int validated, if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL || user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) { -#ifdef HAVE_SELINUX - if (ctx->runas.role == NULL && ctx->runas.type == NULL) -#endif -#ifdef HAVE_APPARMOR - if (ctx->runas.apparmor_profile == NULL) -#endif -#ifdef HAVE_PRIV_SET - if (ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) -#endif - { + if (ctx->runas.role == NULL && ctx->runas.type == NULL && + ctx->runas.apparmor_profile == NULL && + ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) { sudo_debug_printf(SUDO_DEBUG_INFO, "%s: user running command as self", __func__); ret = AUTH_SUCCESS; diff --git a/plugins/sudoers/cvtsudoers_csv.c b/plugins/sudoers/cvtsudoers_csv.c index 32ca99c68e..717748e696 100644 --- a/plugins/sudoers/cvtsudoers_csv.c +++ b/plugins/sudoers/cvtsudoers_csv.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2021-2023 Todd C. Miller + * Copyright (c) 2021-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -574,24 +574,19 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree, need_comma = true; } -#ifdef HAVE_SELINUX /* Print SELinux role/type */ if (cs->role != NULL && cs->type != NULL) { fprintf(fp, "%srole=%s,type=%s", need_comma ? "," : "", cs->role, cs->type); need_comma = true; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR if (cs->apparmor_profile != NULL) { fprintf(fp, "%sapparmor_profile=%s,", need_comma ? "," : "", cs->apparmor_profile); need_comma = true; } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* Print Solaris privs/limitprivs */ if (cs->privs != NULL || cs->limitprivs != NULL) { if (cs->privs != NULL) { @@ -603,7 +598,6 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree, need_comma = true; } } -#endif /* HAVE_PRIV_SET */ #ifdef __clang_analyzer__ (void)&need_comma; #endif @@ -620,15 +614,9 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree, /* XXX - TAG_SET does not account for implied SETENV */ last_one = next == NULL || RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags) -#ifdef HAVE_PRIV_SET || cs->privs != next->privs || cs->limitprivs != next->limitprivs -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX || cs->role != next->role || cs->type != next->type -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR || cs->apparmor_profile != next->apparmor_profile -#endif /* HAVE_APPARMOR */ || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd; if (!quoted && !last_one) { diff --git a/plugins/sudoers/cvtsudoers_json.c b/plugins/sudoers/cvtsudoers_json.c index 6c64363998..c2a9919615 100644 --- a/plugins/sudoers/cvtsudoers_json.c +++ b/plugins/sudoers/cvtsudoers_json.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2013-2023 Todd C. Miller + * Copyright (c) 2013-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -667,15 +667,9 @@ cmndspec_continues(struct cmndspec *cs, struct cmndspec *next) { bool ret = next != NULL && !RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags) -#ifdef HAVE_PRIV_SET && cs->privs == next->privs && cs->limitprivs == next->limitprivs -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX && cs->role == next->role && cs->type == next->type -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR && cs->apparmor_profile == next->apparmor_profile -#endif /* HAVE_APPARMOR */ && cs->runchroot == next->runchroot && cs->runcwd == next->runcwd; return ret; } @@ -734,19 +728,9 @@ print_cmndspec_json(struct json_container *jsonc, /* Print options and tags */ has_options = TAGS_SET(cs->tags) || !TAILQ_EMPTY(options) || cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC || - cs->runchroot != NULL || cs->runcwd != NULL; -#ifdef HAVE_SELINUX - if (cs->role != NULL && cs->type != NULL) - has_options = true; -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR - if (cs->apparmor_profile != NULL) - has_options = true; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET - if (cs->privs != NULL || cs->limitprivs != NULL) - has_options = true; -#endif /* HAVE_PRIV_SET */ + cs->runchroot != NULL || cs->runcwd != NULL || + (cs->role != NULL && cs->type != NULL) || cs->apparmor_profile != NULL + || cs->privs != NULL || cs->limitprivs != NULL; if (has_options) { struct cmndtag tag = cs->tags; @@ -873,7 +857,6 @@ print_cmndspec_json(struct json_container *jsonc, goto oom; } } -#ifdef HAVE_SELINUX if (cs->role != NULL && cs->type != NULL) { value.type = JSON_STRING; value.u.string = cs->role; @@ -883,16 +866,12 @@ print_cmndspec_json(struct json_container *jsonc, if (!sudo_json_add_value_as_object(jsonc, "type", &value)) goto oom; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR if (cs->apparmor_profile != NULL) { value.type = JSON_STRING; value.u.string = cs->apparmor_profile; if (!sudo_json_add_value_as_object(jsonc, "apparmor_profile", &value)) goto oom; } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET if (cs->privs != NULL) { value.type = JSON_STRING; value.u.string = cs->privs; @@ -905,7 +884,6 @@ print_cmndspec_json(struct json_container *jsonc, if (!sudo_json_add_value_as_object(jsonc, "limitprivs", &value)) goto oom; } -#endif /* HAVE_PRIV_SET */ if (!sudo_json_close_array(jsonc)) goto oom; } diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c index fbda44c819..aaaf427168 100644 --- a/plugins/sudoers/cvtsudoers_ldif.c +++ b/plugins/sudoers/cvtsudoers_ldif.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2018-2023 Todd C. Miller + * Copyright (c) 2018-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -492,7 +492,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree, } } -#ifdef HAVE_SELINUX /* Print SELinux role/type */ if (cs->role != NULL && cs->type != NULL) { if (!printf_attribute_ldif(fp, "sudoOption", "role=%s", cs->role) || @@ -500,9 +499,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree, debug_return_bool(false); } } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* Print AppArmor profile */ if (cs->apparmor_profile != NULL) { if (!printf_attribute_ldif(fp, "sudoOption", "apparmor_profile=%s", @@ -510,9 +507,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree, debug_return_bool(false); } } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* Print Solaris privs/limitprivs */ if (cs->privs != NULL || cs->limitprivs != NULL) { if (cs->privs != NULL) { @@ -528,7 +523,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree, } } } -#endif /* HAVE_PRIV_SET */ /* * Merge adjacent commands with matching tags, runas, SELinux @@ -540,12 +534,8 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree, /* XXX - TAG_SET does not account for implied SETENV */ last_one = next == NULL || RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags) -#ifdef HAVE_PRIV_SET || cs->privs != next->privs || cs->limitprivs != next->limitprivs -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX || cs->role != next->role || cs->type != next->type -#endif /* HAVE_SELINUX */ || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd; if (!print_member_ldif(fp, parse_tree, cs->cmnd->name, cs->cmnd->type, diff --git a/plugins/sudoers/cvtsudoers_merge.c b/plugins/sudoers/cvtsudoers_merge.c index 054fa48ac3..609d73a832 100644 --- a/plugins/sudoers/cvtsudoers_merge.c +++ b/plugins/sudoers/cvtsudoers_merge.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2021-2022 Todd C. Miller + * Copyright (c) 2021-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1008,7 +1008,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat } else if (cs1->runchroot != cs2->runchroot) { debug_return_bool(false); } -#ifdef HAVE_SELINUX if (cs1->role != NULL && cs2->role != NULL) { if (strcmp(cs1->role, cs2->role) != 0) debug_return_bool(false); @@ -1021,16 +1020,12 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat } else if (cs1->type != cs2->type) { debug_return_bool(false); } -#endif -#ifdef HAVE_APPARMOR if (cs1->apparmor_profile != NULL && cs2->apparmor_profile != NULL) { if (strcmp(cs1->apparmor_profile, cs2->apparmor_profile) != 0) debug_return_bool(false); } else if (cs1->apparmor_profile != cs2->apparmor_profile) { debug_return_bool(false); } -#endif -#ifdef HAVE_PRIV_SET if (cs1->privs != NULL && cs2->privs != NULL) { if (strcmp(cs1->privs, cs2->privs) != 0) debug_return_bool(false); @@ -1043,7 +1038,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat } else if (cs1->limitprivs != cs2->limitprivs) { debug_return_bool(false); } -#endif debug_return_bool(true); } diff --git a/plugins/sudoers/display.c b/plugins/sudoers/display.c index 0bc9c5395d..8a3cd8b55b 100644 --- a/plugins/sudoers/display.c +++ b/plugins/sudoers/display.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller + * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -112,22 +112,16 @@ new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs) debug_return_bool(true); if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags)) debug_return_bool(true); -#ifdef HAVE_PRIV_SET if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0)) debug_return_bool(true); if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0)) debug_return_bool(true); -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0)) debug_return_bool(true); if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0)) debug_return_bool(true); -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0)) debug_return_bool(true); -#endif /* HAVE_APPARMOR */ if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0)) debug_return_bool(true); if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0)) @@ -211,24 +205,18 @@ display_cmndspec_long(const struct sudoers_parse_tree *parse_tree, } else { lbuf->len = olen; /* no options */ } -#ifdef HAVE_APPARMOR if (cs->apparmor_profile != NULL) { sudo_lbuf_append(lbuf, " ApparmorProfile: %s\n", cs->apparmor_profile); } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET if (cs->privs != NULL) sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs); if (cs->limitprivs != NULL) sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs); -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX if (cs->role != NULL) sudo_lbuf_append(lbuf, " Role: %s\n", cs->role); if (cs->type != NULL) sudo_lbuf_append(lbuf, " Type: %s\n", cs->type); -#endif /* HAVE_SELINUX */ if (cs->runchroot != NULL) sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot); if (cs->runcwd != NULL) diff --git a/plugins/sudoers/fmtsudoers.c b/plugins/sudoers/fmtsudoers.c index 7e6d45de61..547abc9b64 100644 --- a/plugins/sudoers/fmtsudoers.c +++ b/plugins/sudoers/fmtsudoers.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller + * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -234,22 +234,16 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf, /* Merge privilege-level tags with cmndspec tags. */ TAGS_MERGE(tags, cs->tags); -#ifdef HAVE_PRIV_SET if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs)) sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs); if (cs->limitprivs != NULL && FIELD_CHANGED(prev_cs, cs, limitprivs)) sudo_lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs); -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX if (cs->role != NULL && FIELD_CHANGED(prev_cs, cs, role)) sudo_lbuf_append(lbuf, "ROLE=%s ", cs->role); if (cs->type != NULL && FIELD_CHANGED(prev_cs, cs, type)) sudo_lbuf_append(lbuf, "TYPE=%s ", cs->type); -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR if (cs->apparmor_profile != NULL && FIELD_CHANGED(prev_cs, cs, apparmor_profile)) sudo_lbuf_append(lbuf, "APPARMOR_PROFILE=%s ", cs->apparmor_profile); -#endif /* HAVE_APPARMOR */ if (cs->runchroot != NULL && FIELD_CHANGED(prev_cs, cs, runchroot)) sudo_lbuf_append(lbuf, "CHROOT=%s ", cs->runchroot); if (cs->runcwd != NULL && FIELD_CHANGED(prev_cs, cs, runcwd)) diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c index 3cf81a03ae..cdc1b78a93 100644 --- a/plugins/sudoers/gram.c +++ b/plugins/sudoers/gram.c @@ -85,7 +85,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2023 + * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -882,18 +882,18 @@ static const yytype_int16 yyrline[] = 236, 242, 245, 248, 251, 254, 258, 262, 266, 270, 276, 279, 285, 288, 294, 295, 302, 311, 320, 330, 340, 352, 353, 358, 364, 381, 385, 391, 400, 408, - 417, 426, 437, 438, 505, 575, 584, 593, 602, 613, - 614, 621, 624, 638, 642, 648, 664, 680, 685, 689, - 694, 699, 704, 709, 713, 718, 721, 726, 743, 755, - 771, 789, 808, 809, 810, 811, 812, 813, 814, 815, - 816, 817, 818, 821, 827, 830, 835, 840, 849, 858, - 870, 877, 884, 891, 898, 907, 910, 913, 916, 919, - 922, 925, 928, 931, 934, 937, 940, 943, 946, 949, - 952, 955, 960, 974, 983, 1004, 1027, 1028, 1031, 1031, - 1043, 1046, 1047, 1054, 1055, 1058, 1058, 1070, 1073, 1074, - 1081, 1082, 1085, 1085, 1097, 1100, 1101, 1104, 1104, 1116, - 1119, 1120, 1127, 1131, 1137, 1146, 1154, 1163, 1172, 1183, - 1184, 1191, 1195, 1201, 1210, 1218 + 417, 426, 437, 438, 499, 563, 572, 581, 590, 601, + 602, 609, 612, 626, 630, 636, 652, 668, 673, 677, + 682, 687, 692, 697, 701, 706, 709, 714, 731, 743, + 759, 777, 796, 797, 798, 799, 800, 801, 802, 803, + 804, 805, 806, 809, 815, 818, 823, 828, 837, 846, + 858, 863, 868, 873, 878, 885, 888, 891, 894, 897, + 900, 903, 906, 909, 912, 915, 918, 921, 924, 927, + 930, 933, 938, 952, 961, 982, 1005, 1006, 1009, 1009, + 1021, 1024, 1025, 1032, 1033, 1036, 1036, 1048, 1051, 1052, + 1059, 1060, 1063, 1063, 1075, 1078, 1079, 1082, 1082, 1094, + 1097, 1098, 1105, 1109, 1115, 1124, 1132, 1141, 1150, 1161, + 1162, 1169, 1173, 1179, 1188, 1196 }; #endif @@ -2044,25 +2044,19 @@ yyparse (void) (yyvsp[0].cmndspec)->runcwd = prev->runcwd; if ((yyvsp[0].cmndspec)->runchroot == NULL) (yyvsp[0].cmndspec)->runchroot = prev->runchroot; -#ifdef HAVE_SELINUX /* propagate role and type */ if ((yyvsp[0].cmndspec)->role == NULL && (yyvsp[0].cmndspec)->type == NULL) { (yyvsp[0].cmndspec)->role = prev->role; (yyvsp[0].cmndspec)->type = prev->type; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* propagate apparmor_profile */ if ((yyvsp[0].cmndspec)->apparmor_profile == NULL) (yyvsp[0].cmndspec)->apparmor_profile = prev->apparmor_profile; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* propagate privs & limitprivs */ if ((yyvsp[0].cmndspec)->privs == NULL && (yyvsp[0].cmndspec)->limitprivs == NULL) { (yyvsp[0].cmndspec)->privs = prev->privs; (yyvsp[0].cmndspec)->limitprivs = prev->limitprivs; } -#endif /* HAVE_PRIV_SET */ /* propagate command time restrictions */ if ((yyvsp[0].cmndspec)->notbefore == UNSPEC) (yyvsp[0].cmndspec)->notbefore = prev->notbefore; @@ -2098,11 +2092,11 @@ yyparse (void) } (yyval.cmndspec) = (yyvsp[-2].cmndspec); } -#line 2096 "gram.c" +#line 2090 "gram.c" break; case 44: /* cmndspec: runasspec options cmndtag digcmnd */ -#line 505 "gram.y" +#line 499 "gram.y" { struct cmndspec *cs = calloc(1, sizeof(*cs)); if (cs == NULL) { @@ -2138,22 +2132,16 @@ yyparse (void) parser_leak_remove(LEAK_RUNAS, (yyvsp[-3].runas)); free((yyvsp[-3].runas)); } -#ifdef HAVE_SELINUX cs->role = (yyvsp[-2].options).role; parser_leak_remove(LEAK_PTR, (yyvsp[-2].options).role); cs->type = (yyvsp[-2].options).type; parser_leak_remove(LEAK_PTR, (yyvsp[-2].options).type); -#endif -#ifdef HAVE_APPARMOR cs->apparmor_profile = (yyvsp[-2].options).apparmor_profile; parser_leak_remove(LEAK_PTR, (yyvsp[-2].options).apparmor_profile); -#endif -#ifdef HAVE_PRIV_SET cs->privs = (yyvsp[-2].options).privs; parser_leak_remove(LEAK_PTR, (yyvsp[-2].options).privs); cs->limitprivs = (yyvsp[-2].options).limitprivs; parser_leak_remove(LEAK_PTR, (yyvsp[-2].options).limitprivs); -#endif cs->notbefore = (yyvsp[-2].options).notbefore; cs->notafter = (yyvsp[-2].options).notafter; cs->timeout = (yyvsp[-2].options).timeout; @@ -2171,11 +2159,11 @@ yyparse (void) cs->tags.setenv = IMPLIED; (yyval.cmndspec) = cs; } -#line 2169 "gram.c" +#line 2157 "gram.c" break; case 45: /* digestspec: SHA224_TOK ':' DIGEST */ -#line 575 "gram.y" +#line 563 "gram.y" { (yyval.digest) = new_digest(SUDO_DIGEST_SHA224, (yyvsp[0].string)); if ((yyval.digest) == NULL) { @@ -2185,11 +2173,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_DIGEST, (yyval.digest)); } -#line 2183 "gram.c" +#line 2171 "gram.c" break; case 46: /* digestspec: SHA256_TOK ':' DIGEST */ -#line 584 "gram.y" +#line 572 "gram.y" { (yyval.digest) = new_digest(SUDO_DIGEST_SHA256, (yyvsp[0].string)); if ((yyval.digest) == NULL) { @@ -2199,11 +2187,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_DIGEST, (yyval.digest)); } -#line 2197 "gram.c" +#line 2185 "gram.c" break; case 47: /* digestspec: SHA384_TOK ':' DIGEST */ -#line 593 "gram.y" +#line 581 "gram.y" { (yyval.digest) = new_digest(SUDO_DIGEST_SHA384, (yyvsp[0].string)); if ((yyval.digest) == NULL) { @@ -2213,11 +2201,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_DIGEST, (yyval.digest)); } -#line 2211 "gram.c" +#line 2199 "gram.c" break; case 48: /* digestspec: SHA512_TOK ':' DIGEST */ -#line 602 "gram.y" +#line 590 "gram.y" { (yyval.digest) = new_digest(SUDO_DIGEST_SHA512, (yyvsp[0].string)); if ((yyval.digest) == NULL) { @@ -2227,29 +2215,29 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_DIGEST, (yyval.digest)); } -#line 2225 "gram.c" +#line 2213 "gram.c" break; case 50: /* digestlist: digestlist ',' digestspec */ -#line 614 "gram.y" +#line 602 "gram.y" { parser_leak_remove(LEAK_DIGEST, (yyvsp[0].digest)); HLTQ_CONCAT((yyvsp[-2].digest), (yyvsp[0].digest), entries); (yyval.digest) = (yyvsp[-2].digest); } -#line 2235 "gram.c" +#line 2223 "gram.c" break; case 51: /* digcmnd: opcmnd */ -#line 621 "gram.y" +#line 609 "gram.y" { (yyval.member) = (yyvsp[0].member); } -#line 2243 "gram.c" +#line 2231 "gram.c" break; case 52: /* digcmnd: digestlist opcmnd */ -#line 624 "gram.y" +#line 612 "gram.y" { struct sudo_command *c = (struct sudo_command *) (yyvsp[0].member)->name; @@ -2262,29 +2250,29 @@ yyparse (void) HLTQ_TO_TAILQ(&c->digests, (yyvsp[-1].digest), entries); (yyval.member) = (yyvsp[0].member); } -#line 2260 "gram.c" +#line 2248 "gram.c" break; case 53: /* opcmnd: cmnd */ -#line 638 "gram.y" +#line 626 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = false; } -#line 2269 "gram.c" +#line 2257 "gram.c" break; case 54: /* opcmnd: '!' cmnd */ -#line 642 "gram.y" +#line 630 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = true; } -#line 2278 "gram.c" +#line 2266 "gram.c" break; case 55: /* chdirspec: CWD '=' WORD */ -#line 648 "gram.y" +#line 636 "gram.y" { if ((yyvsp[0].string)[0] != '/' && (yyvsp[0].string)[0] != '~') { if (strcmp((yyvsp[0].string), "*") != 0) { @@ -2299,11 +2287,11 @@ yyparse (void) } (yyval.string) = (yyvsp[0].string); } -#line 2297 "gram.c" +#line 2285 "gram.c" break; case 56: /* chrootspec: CHROOT '=' WORD */ -#line 664 "gram.y" +#line 652 "gram.y" { if ((yyvsp[0].string)[0] != '/' && (yyvsp[0].string)[0] != '~') { if (strcmp((yyvsp[0].string), "*") != 0) { @@ -2318,91 +2306,91 @@ yyparse (void) } (yyval.string) = (yyvsp[0].string); } -#line 2316 "gram.c" +#line 2304 "gram.c" break; case 57: /* timeoutspec: CMND_TIMEOUT '=' WORD */ -#line 680 "gram.y" +#line 668 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2324 "gram.c" +#line 2312 "gram.c" break; case 58: /* notbeforespec: NOTBEFORE '=' WORD */ -#line 685 "gram.y" +#line 673 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2332 "gram.c" +#line 2320 "gram.c" break; case 59: /* notafterspec: NOTAFTER '=' WORD */ -#line 689 "gram.y" +#line 677 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2340 "gram.c" +#line 2328 "gram.c" break; case 60: /* rolespec: ROLE '=' WORD */ -#line 694 "gram.y" +#line 682 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2348 "gram.c" +#line 2336 "gram.c" break; case 61: /* typespec: TYPE '=' WORD */ -#line 699 "gram.y" +#line 687 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2356 "gram.c" +#line 2344 "gram.c" break; case 62: /* apparmor_profilespec: APPARMOR_PROFILE '=' WORD */ -#line 704 "gram.y" +#line 692 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2364 "gram.c" +#line 2352 "gram.c" break; case 63: /* privsspec: PRIVS '=' WORD */ -#line 709 "gram.y" +#line 697 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2372 "gram.c" +#line 2360 "gram.c" break; case 64: /* limitprivsspec: LIMITPRIVS '=' WORD */ -#line 713 "gram.y" +#line 701 "gram.y" { (yyval.string) = (yyvsp[0].string); } -#line 2380 "gram.c" +#line 2368 "gram.c" break; case 65: /* runasspec: %empty */ -#line 718 "gram.y" +#line 706 "gram.y" { (yyval.runas) = NULL; } -#line 2388 "gram.c" +#line 2376 "gram.c" break; case 66: /* runasspec: '(' runaslist ')' */ -#line 721 "gram.y" +#line 709 "gram.y" { (yyval.runas) = (yyvsp[-1].runas); } -#line 2396 "gram.c" +#line 2384 "gram.c" break; case 67: /* runaslist: %empty */ -#line 726 "gram.y" +#line 714 "gram.y" { /* User may run command as themselves. */ (yyval.runas) = calloc(1, sizeof(struct runascontainer)); @@ -2420,11 +2408,11 @@ yyparse (void) } parser_leak_add(LEAK_RUNAS, (yyval.runas)); } -#line 2418 "gram.c" +#line 2406 "gram.c" break; case 68: /* runaslist: userlist */ -#line 743 "gram.y" +#line 731 "gram.y" { /* User may run command as a user in userlist. */ (yyval.runas) = calloc(1, sizeof(struct runascontainer)); @@ -2437,11 +2425,11 @@ yyparse (void) (yyval.runas)->runasusers = (yyvsp[0].member); /* $$->runasgroups = NULL; */ } -#line 2435 "gram.c" +#line 2423 "gram.c" break; case 69: /* runaslist: userlist ':' grouplist */ -#line 755 "gram.y" +#line 743 "gram.y" { /* * User may run command as a user in userlist @@ -2458,11 +2446,11 @@ yyparse (void) (yyval.runas)->runasusers = (yyvsp[-2].member); (yyval.runas)->runasgroups = (yyvsp[0].member); } -#line 2456 "gram.c" +#line 2444 "gram.c" break; case 70: /* runaslist: ':' grouplist */ -#line 771 "gram.y" +#line 759 "gram.y" { /* User may run command as a group in grouplist. */ (yyval.runas) = calloc(1, sizeof(struct runascontainer)); @@ -2481,11 +2469,11 @@ yyparse (void) parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); (yyval.runas)->runasgroups = (yyvsp[0].member); } -#line 2479 "gram.c" +#line 2467 "gram.c" break; case 71: /* runaslist: ':' */ -#line 789 "gram.y" +#line 777 "gram.y" { /* User may run command as themselves. */ (yyval.runas) = calloc(1, sizeof(struct runascontainer)); @@ -2503,114 +2491,114 @@ yyparse (void) } parser_leak_add(LEAK_RUNAS, (yyval.runas)); } -#line 2501 "gram.c" +#line 2489 "gram.c" break; case 72: /* reserved_word: ALL */ -#line 808 "gram.y" +#line 796 "gram.y" { (yyval.cstring) = "ALL"; } -#line 2507 "gram.c" +#line 2495 "gram.c" break; case 73: /* reserved_word: CHROOT */ -#line 809 "gram.y" +#line 797 "gram.y" { (yyval.cstring) = "CHROOT"; } -#line 2513 "gram.c" +#line 2501 "gram.c" break; case 74: /* reserved_word: CWD */ -#line 810 "gram.y" +#line 798 "gram.y" { (yyval.cstring) = "CWD"; } -#line 2519 "gram.c" +#line 2507 "gram.c" break; case 75: /* reserved_word: CMND_TIMEOUT */ -#line 811 "gram.y" +#line 799 "gram.y" { (yyval.cstring) = "CMND_TIMEOUT"; } -#line 2525 "gram.c" +#line 2513 "gram.c" break; case 76: /* reserved_word: NOTBEFORE */ -#line 812 "gram.y" +#line 800 "gram.y" { (yyval.cstring) = "NOTBEFORE"; } -#line 2531 "gram.c" +#line 2519 "gram.c" break; case 77: /* reserved_word: NOTAFTER */ -#line 813 "gram.y" +#line 801 "gram.y" { (yyval.cstring) = "NOTAFTER"; } -#line 2537 "gram.c" +#line 2525 "gram.c" break; case 78: /* reserved_word: ROLE */ -#line 814 "gram.y" +#line 802 "gram.y" { (yyval.cstring) = "ROLE"; } -#line 2543 "gram.c" +#line 2531 "gram.c" break; case 79: /* reserved_word: TYPE */ -#line 815 "gram.y" +#line 803 "gram.y" { (yyval.cstring) = "TYPE"; } -#line 2549 "gram.c" +#line 2537 "gram.c" break; case 80: /* reserved_word: PRIVS */ -#line 816 "gram.y" +#line 804 "gram.y" { (yyval.cstring) = "PRIVS"; } -#line 2555 "gram.c" +#line 2543 "gram.c" break; case 81: /* reserved_word: LIMITPRIVS */ -#line 817 "gram.y" +#line 805 "gram.y" { (yyval.cstring) = "LIMITPRIVS"; } -#line 2561 "gram.c" +#line 2549 "gram.c" break; case 82: /* reserved_word: APPARMOR_PROFILE */ -#line 818 "gram.y" +#line 806 "gram.y" { (yyval.cstring) = "APPARMOR_PROFILE"; } -#line 2567 "gram.c" +#line 2555 "gram.c" break; case 83: /* reserved_alias: reserved_word */ -#line 821 "gram.y" +#line 809 "gram.y" { sudoerserrorf(U_("syntax error, reserved word %s used as an alias name"), (yyvsp[0].cstring)); YYERROR; } -#line 2576 "gram.c" +#line 2564 "gram.c" break; case 84: /* options: %empty */ -#line 827 "gram.y" +#line 815 "gram.y" { init_options(&(yyval.options)); } -#line 2584 "gram.c" +#line 2572 "gram.c" break; case 85: /* options: options chdirspec */ -#line 830 "gram.y" +#line 818 "gram.y" { parser_leak_remove(LEAK_PTR, (yyval.options).runcwd); free((yyval.options).runcwd); (yyval.options).runcwd = (yyvsp[0].string); } -#line 2594 "gram.c" +#line 2582 "gram.c" break; case 86: /* options: options chrootspec */ -#line 835 "gram.y" +#line 823 "gram.y" { parser_leak_remove(LEAK_PTR, (yyval.options).runchroot); free((yyval.options).runchroot); (yyval.options).runchroot = (yyvsp[0].string); } -#line 2604 "gram.c" +#line 2592 "gram.c" break; case 87: /* options: options notbeforespec */ -#line 840 "gram.y" +#line 828 "gram.y" { (yyval.options).notbefore = parse_gentime((yyvsp[0].string)); parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); @@ -2620,11 +2608,11 @@ yyparse (void) YYERROR; } } -#line 2618 "gram.c" +#line 2606 "gram.c" break; case 88: /* options: options notafterspec */ -#line 849 "gram.y" +#line 837 "gram.y" { (yyval.options).notafter = parse_gentime((yyvsp[0].string)); parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); @@ -2634,11 +2622,11 @@ yyparse (void) YYERROR; } } -#line 2632 "gram.c" +#line 2620 "gram.c" break; case 89: /* options: options timeoutspec */ -#line 858 "gram.y" +#line 846 "gram.y" { (yyval.options).timeout = parse_timeout((yyvsp[0].string)); parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); @@ -2651,207 +2639,197 @@ yyparse (void) YYERROR; } } -#line 2649 "gram.c" +#line 2637 "gram.c" break; case 90: /* options: options rolespec */ -#line 870 "gram.y" +#line 858 "gram.y" { -#ifdef HAVE_SELINUX parser_leak_remove(LEAK_PTR, (yyval.options).role); free((yyval.options).role); (yyval.options).role = (yyvsp[0].string); -#endif } -#line 2661 "gram.c" +#line 2647 "gram.c" break; case 91: /* options: options typespec */ -#line 877 "gram.y" +#line 863 "gram.y" { -#ifdef HAVE_SELINUX parser_leak_remove(LEAK_PTR, (yyval.options).type); free((yyval.options).type); (yyval.options).type = (yyvsp[0].string); -#endif } -#line 2673 "gram.c" +#line 2657 "gram.c" break; case 92: /* options: options apparmor_profilespec */ -#line 884 "gram.y" +#line 868 "gram.y" { -#ifdef HAVE_APPARMOR parser_leak_remove(LEAK_PTR, (yyval.options).apparmor_profile); free((yyval.options).apparmor_profile); (yyval.options).apparmor_profile = (yyvsp[0].string); -#endif } -#line 2685 "gram.c" +#line 2667 "gram.c" break; case 93: /* options: options privsspec */ -#line 891 "gram.y" +#line 873 "gram.y" { -#ifdef HAVE_PRIV_SET parser_leak_remove(LEAK_PTR, (yyval.options).privs); free((yyval.options).privs); (yyval.options).privs = (yyvsp[0].string); -#endif } -#line 2697 "gram.c" +#line 2677 "gram.c" break; case 94: /* options: options limitprivsspec */ -#line 898 "gram.y" +#line 878 "gram.y" { -#ifdef HAVE_PRIV_SET parser_leak_remove(LEAK_PTR, (yyval.options).limitprivs); free((yyval.options).limitprivs); (yyval.options).limitprivs = (yyvsp[0].string); -#endif } -#line 2709 "gram.c" +#line 2687 "gram.c" break; case 95: /* cmndtag: %empty */ -#line 907 "gram.y" +#line 885 "gram.y" { TAGS_INIT(&(yyval.tag)); } -#line 2717 "gram.c" +#line 2695 "gram.c" break; case 96: /* cmndtag: cmndtag NOPASSWD */ -#line 910 "gram.y" +#line 888 "gram.y" { (yyval.tag).nopasswd = true; } -#line 2725 "gram.c" +#line 2703 "gram.c" break; case 97: /* cmndtag: cmndtag PASSWD */ -#line 913 "gram.y" +#line 891 "gram.y" { (yyval.tag).nopasswd = false; } -#line 2733 "gram.c" +#line 2711 "gram.c" break; case 98: /* cmndtag: cmndtag NOEXEC */ -#line 916 "gram.y" +#line 894 "gram.y" { (yyval.tag).noexec = true; } -#line 2741 "gram.c" +#line 2719 "gram.c" break; case 99: /* cmndtag: cmndtag EXEC */ -#line 919 "gram.y" +#line 897 "gram.y" { (yyval.tag).noexec = false; } -#line 2749 "gram.c" +#line 2727 "gram.c" break; case 100: /* cmndtag: cmndtag INTERCEPT */ -#line 922 "gram.y" +#line 900 "gram.y" { (yyval.tag).intercept = true; } -#line 2757 "gram.c" +#line 2735 "gram.c" break; case 101: /* cmndtag: cmndtag NOINTERCEPT */ -#line 925 "gram.y" +#line 903 "gram.y" { (yyval.tag).intercept = false; } -#line 2765 "gram.c" +#line 2743 "gram.c" break; case 102: /* cmndtag: cmndtag SETENV */ -#line 928 "gram.y" +#line 906 "gram.y" { (yyval.tag).setenv = true; } -#line 2773 "gram.c" +#line 2751 "gram.c" break; case 103: /* cmndtag: cmndtag NOSETENV */ -#line 931 "gram.y" +#line 909 "gram.y" { (yyval.tag).setenv = false; } -#line 2781 "gram.c" +#line 2759 "gram.c" break; case 104: /* cmndtag: cmndtag LOG_INPUT */ -#line 934 "gram.y" +#line 912 "gram.y" { (yyval.tag).log_input = true; } -#line 2789 "gram.c" +#line 2767 "gram.c" break; case 105: /* cmndtag: cmndtag NOLOG_INPUT */ -#line 937 "gram.y" +#line 915 "gram.y" { (yyval.tag).log_input = false; } -#line 2797 "gram.c" +#line 2775 "gram.c" break; case 106: /* cmndtag: cmndtag LOG_OUTPUT */ -#line 940 "gram.y" +#line 918 "gram.y" { (yyval.tag).log_output = true; } -#line 2805 "gram.c" +#line 2783 "gram.c" break; case 107: /* cmndtag: cmndtag NOLOG_OUTPUT */ -#line 943 "gram.y" +#line 921 "gram.y" { (yyval.tag).log_output = false; } -#line 2813 "gram.c" +#line 2791 "gram.c" break; case 108: /* cmndtag: cmndtag FOLLOWLNK */ -#line 946 "gram.y" +#line 924 "gram.y" { (yyval.tag).follow = true; } -#line 2821 "gram.c" +#line 2799 "gram.c" break; case 109: /* cmndtag: cmndtag NOFOLLOWLNK */ -#line 949 "gram.y" +#line 927 "gram.y" { (yyval.tag).follow = false; } -#line 2829 "gram.c" +#line 2807 "gram.c" break; case 110: /* cmndtag: cmndtag MAIL */ -#line 952 "gram.y" +#line 930 "gram.y" { (yyval.tag).send_mail = true; } -#line 2837 "gram.c" +#line 2815 "gram.c" break; case 111: /* cmndtag: cmndtag NOMAIL */ -#line 955 "gram.y" +#line 933 "gram.y" { (yyval.tag).send_mail = false; } -#line 2845 "gram.c" +#line 2823 "gram.c" break; case 112: /* cmnd: ALL */ -#line 960 "gram.y" +#line 938 "gram.y" { struct sudo_command *c; @@ -2866,11 +2844,11 @@ yyparse (void) } parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 2864 "gram.c" +#line 2842 "gram.c" break; case 113: /* cmnd: ALIAS */ -#line 974 "gram.y" +#line 952 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), ALIAS); if ((yyval.member) == NULL) { @@ -2880,11 +2858,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 2878 "gram.c" +#line 2856 "gram.c" break; case 114: /* cmnd: COMMAND */ -#line 983 "gram.y" +#line 961 "gram.y" { struct sudo_command *c; @@ -2906,11 +2884,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].command).args); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 2904 "gram.c" +#line 2882 "gram.c" break; case 115: /* cmnd: WORD */ -#line 1004 "gram.y" +#line 982 "gram.y" { if (strcmp((yyvsp[0].string), "list") == 0) { struct sudo_command *c; @@ -2932,20 +2910,20 @@ yyparse (void) YYERROR; } } -#line 2930 "gram.c" +#line 2908 "gram.c" break; case 118: /* $@1: %empty */ -#line 1031 "gram.y" +#line 1009 "gram.y" { alias_line = this_lineno; alias_column = (int)sudolinebuf.toke_start + 1; } -#line 2939 "gram.c" +#line 2917 "gram.c" break; case 119: /* hostalias: ALIAS $@1 '=' hostlist */ -#line 1034 "gram.y" +#line 1012 "gram.y" { if (!alias_add(&parsed_policy, (yyvsp[-3].string), HOSTALIAS, sudoers, alias_line, alias_column, (yyvsp[0].member))) { @@ -2955,30 +2933,30 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[-3].string)); parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); } -#line 2953 "gram.c" +#line 2931 "gram.c" break; case 122: /* hostlist: hostlist ',' ophost */ -#line 1047 "gram.y" +#line 1025 "gram.y" { parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); HLTQ_CONCAT((yyvsp[-2].member), (yyvsp[0].member), entries); (yyval.member) = (yyvsp[-2].member); } -#line 2963 "gram.c" +#line 2941 "gram.c" break; case 125: /* $@2: %empty */ -#line 1058 "gram.y" +#line 1036 "gram.y" { alias_line = this_lineno; alias_column = (int)sudolinebuf.toke_start + 1; } -#line 2972 "gram.c" +#line 2950 "gram.c" break; case 126: /* cmndalias: ALIAS $@2 '=' cmndlist */ -#line 1061 "gram.y" +#line 1039 "gram.y" { if (!alias_add(&parsed_policy, (yyvsp[-3].string), CMNDALIAS, sudoers, alias_line, alias_column, (yyvsp[0].member))) { @@ -2988,30 +2966,30 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[-3].string)); parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); } -#line 2986 "gram.c" +#line 2964 "gram.c" break; case 129: /* cmndlist: cmndlist ',' digcmnd */ -#line 1074 "gram.y" +#line 1052 "gram.y" { parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); HLTQ_CONCAT((yyvsp[-2].member), (yyvsp[0].member), entries); (yyval.member) = (yyvsp[-2].member); } -#line 2996 "gram.c" +#line 2974 "gram.c" break; case 132: /* $@3: %empty */ -#line 1085 "gram.y" +#line 1063 "gram.y" { alias_line = this_lineno; alias_column = (int)sudolinebuf.toke_start + 1; } -#line 3005 "gram.c" +#line 2983 "gram.c" break; case 133: /* runasalias: ALIAS $@3 '=' userlist */ -#line 1088 "gram.y" +#line 1066 "gram.y" { if (!alias_add(&parsed_policy, (yyvsp[-3].string), RUNASALIAS, sudoers, alias_line, alias_column, (yyvsp[0].member))) { @@ -3021,20 +2999,20 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[-3].string)); parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); } -#line 3019 "gram.c" +#line 2997 "gram.c" break; case 137: /* $@4: %empty */ -#line 1104 "gram.y" +#line 1082 "gram.y" { alias_line = this_lineno; alias_column = (int)sudolinebuf.toke_start + 1; } -#line 3028 "gram.c" +#line 3006 "gram.c" break; case 138: /* useralias: ALIAS $@4 '=' userlist */ -#line 1107 "gram.y" +#line 1085 "gram.y" { if (!alias_add(&parsed_policy, (yyvsp[-3].string), USERALIAS, sudoers, alias_line, alias_column, (yyvsp[0].member))) { @@ -3044,39 +3022,39 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[-3].string)); parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); } -#line 3042 "gram.c" +#line 3020 "gram.c" break; case 141: /* userlist: userlist ',' opuser */ -#line 1120 "gram.y" +#line 1098 "gram.y" { parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); HLTQ_CONCAT((yyvsp[-2].member), (yyvsp[0].member), entries); (yyval.member) = (yyvsp[-2].member); } -#line 3052 "gram.c" +#line 3030 "gram.c" break; case 142: /* opuser: user */ -#line 1127 "gram.y" +#line 1105 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = false; } -#line 3061 "gram.c" +#line 3039 "gram.c" break; case 143: /* opuser: '!' user */ -#line 1131 "gram.y" +#line 1109 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = true; } -#line 3070 "gram.c" +#line 3048 "gram.c" break; case 144: /* user: ALIAS */ -#line 1137 "gram.y" +#line 1115 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), ALIAS); if ((yyval.member) == NULL) { @@ -3086,11 +3064,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3084 "gram.c" +#line 3062 "gram.c" break; case 145: /* user: ALL */ -#line 1146 "gram.y" +#line 1124 "gram.y" { (yyval.member) = new_member(NULL, ALL); if ((yyval.member) == NULL) { @@ -3099,11 +3077,11 @@ yyparse (void) } parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3097 "gram.c" +#line 3075 "gram.c" break; case 146: /* user: NETGROUP */ -#line 1154 "gram.y" +#line 1132 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), NETGROUP); if ((yyval.member) == NULL) { @@ -3113,11 +3091,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3111 "gram.c" +#line 3089 "gram.c" break; case 147: /* user: USERGROUP */ -#line 1163 "gram.y" +#line 1141 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), USERGROUP); if ((yyval.member) == NULL) { @@ -3127,11 +3105,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3125 "gram.c" +#line 3103 "gram.c" break; case 148: /* user: WORD */ -#line 1172 "gram.y" +#line 1150 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), WORD); if ((yyval.member) == NULL) { @@ -3141,39 +3119,39 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3139 "gram.c" +#line 3117 "gram.c" break; case 150: /* grouplist: grouplist ',' opgroup */ -#line 1184 "gram.y" +#line 1162 "gram.y" { parser_leak_remove(LEAK_MEMBER, (yyvsp[0].member)); HLTQ_CONCAT((yyvsp[-2].member), (yyvsp[0].member), entries); (yyval.member) = (yyvsp[-2].member); } -#line 3149 "gram.c" +#line 3127 "gram.c" break; case 151: /* opgroup: group */ -#line 1191 "gram.y" +#line 1169 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = false; } -#line 3158 "gram.c" +#line 3136 "gram.c" break; case 152: /* opgroup: '!' group */ -#line 1195 "gram.y" +#line 1173 "gram.y" { (yyval.member) = (yyvsp[0].member); (yyval.member)->negated = true; } -#line 3167 "gram.c" +#line 3145 "gram.c" break; case 153: /* group: ALIAS */ -#line 1201 "gram.y" +#line 1179 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), ALIAS); if ((yyval.member) == NULL) { @@ -3183,11 +3161,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3181 "gram.c" +#line 3159 "gram.c" break; case 154: /* group: ALL */ -#line 1210 "gram.y" +#line 1188 "gram.y" { (yyval.member) = new_member(NULL, ALL); if ((yyval.member) == NULL) { @@ -3196,11 +3174,11 @@ yyparse (void) } parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3194 "gram.c" +#line 3172 "gram.c" break; case 155: /* group: WORD */ -#line 1218 "gram.y" +#line 1196 "gram.y" { (yyval.member) = new_member((yyvsp[0].string), WORD); if ((yyval.member) == NULL) { @@ -3210,11 +3188,11 @@ yyparse (void) parser_leak_remove(LEAK_PTR, (yyvsp[0].string)); parser_leak_add(LEAK_MEMBER, (yyval.member)); } -#line 3208 "gram.c" +#line 3186 "gram.c" break; -#line 3212 "gram.c" +#line 3190 "gram.c" default: break; } @@ -3407,7 +3385,7 @@ yyparse (void) return yyresult; } -#line 1228 "gram.y" +#line 1206 "gram.y" /* Like yyerror() but takes a printf-style format string. */ void @@ -3776,7 +3754,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->runchroot != next->runchroot)) { free(cs->runchroot); } -#ifdef HAVE_SELINUX /* Don't free root/type that are in use by other entries. */ if ((prev == NULL || cs->role != prev->role) && (next == NULL || cs->role != next->role)) { @@ -3786,8 +3763,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->type != next->type)) { free(cs->type); } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_PRIV_SET /* Don't free privs/limitprivs that are in use by other entries. */ if ((prev == NULL || cs->privs != prev->privs) && (next == NULL || cs->privs != next->privs)) { @@ -3797,7 +3772,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->limitprivs != next->limitprivs)) { free(cs->limitprivs); } -#endif /* HAVE_PRIV_SET */ /* Don't free user/group lists that are in use by other entries. */ if (cs->runasuserlist != NULL) { if ((prev == NULL || cs->runasuserlist != prev->runasuserlist) && @@ -3824,15 +3798,9 @@ free_cmndspecs(struct cmndspec_list *csl) { struct member_list *runasuserlist = NULL, *runasgrouplist = NULL; char *runcwd = NULL, *runchroot = NULL; -#ifdef HAVE_SELINUX char *role = NULL, *type = NULL; -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR char *apparmor_profile = NULL; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET char *privs = NULL, *limitprivs = NULL; -#endif /* HAVE_PRIV_SET */ struct cmndspec *cs; debug_decl(free_cmndspecs, SUDOERS_DEBUG_PARSER); @@ -3848,7 +3816,6 @@ free_cmndspecs(struct cmndspec_list *csl) runchroot = cs->runchroot; free(cs->runchroot); } -#ifdef HAVE_SELINUX /* Only free the first instance of a role/type. */ if (cs->role != role) { role = cs->role; @@ -3858,15 +3825,11 @@ free_cmndspecs(struct cmndspec_list *csl) type = cs->type; free(cs->type); } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* Only free the first instance of apparmor_profile. */ if (cs->apparmor_profile != apparmor_profile) { apparmor_profile = cs->apparmor_profile; free(cs->apparmor_profile); } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* Only free the first instance of privs/limitprivs. */ if (cs->privs != privs) { privs = cs->privs; @@ -3876,7 +3839,6 @@ free_cmndspecs(struct cmndspec_list *csl) limitprivs = cs->limitprivs; free(cs->limitprivs); } -#endif /* HAVE_PRIV_SET */ /* Only free the first instance of runas user/group lists. */ if (cs->runasuserlist && cs->runasuserlist != runasuserlist) { runasuserlist = cs->runasuserlist; @@ -4062,17 +4024,11 @@ init_options(struct command_options *opts) opts->timeout = UNSPEC; opts->runchroot = NULL; opts->runcwd = NULL; -#ifdef HAVE_SELINUX opts->role = NULL; opts->type = NULL; -#endif -#ifdef HAVE_PRIV_SET + opts->apparmor_profile = NULL; opts->privs = NULL; opts->limitprivs = NULL; -#endif -#ifdef HAVE_APPARMOR - opts->apparmor_profile = NULL; -#endif } uid_t diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y index 3d40a5ddb3..495a5b3f79 100644 --- a/plugins/sudoers/gram.y +++ b/plugins/sudoers/gram.y @@ -2,7 +2,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2023 + * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -446,25 +446,19 @@ cmndspeclist : cmndspec $3->runcwd = prev->runcwd; if ($3->runchroot == NULL) $3->runchroot = prev->runchroot; -#ifdef HAVE_SELINUX /* propagate role and type */ if ($3->role == NULL && $3->type == NULL) { $3->role = prev->role; $3->type = prev->type; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* propagate apparmor_profile */ if ($3->apparmor_profile == NULL) $3->apparmor_profile = prev->apparmor_profile; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* propagate privs & limitprivs */ if ($3->privs == NULL && $3->limitprivs == NULL) { $3->privs = prev->privs; $3->limitprivs = prev->limitprivs; } -#endif /* HAVE_PRIV_SET */ /* propagate command time restrictions */ if ($3->notbefore == UNSPEC) $3->notbefore = prev->notbefore; @@ -537,22 +531,16 @@ cmndspec : runasspec options cmndtag digcmnd { parser_leak_remove(LEAK_RUNAS, $1); free($1); } -#ifdef HAVE_SELINUX cs->role = $2.role; parser_leak_remove(LEAK_PTR, $2.role); cs->type = $2.type; parser_leak_remove(LEAK_PTR, $2.type); -#endif -#ifdef HAVE_APPARMOR cs->apparmor_profile = $2.apparmor_profile; parser_leak_remove(LEAK_PTR, $2.apparmor_profile); -#endif -#ifdef HAVE_PRIV_SET cs->privs = $2.privs; parser_leak_remove(LEAK_PTR, $2.privs); cs->limitprivs = $2.limitprivs; parser_leak_remove(LEAK_PTR, $2.limitprivs); -#endif cs->notbefore = $2.notbefore; cs->notafter = $2.notafter; cs->timeout = $2.timeout; @@ -868,39 +856,29 @@ options : /* empty */ { } } | options rolespec { -#ifdef HAVE_SELINUX parser_leak_remove(LEAK_PTR, $$.role); free($$.role); $$.role = $2; -#endif } | options typespec { -#ifdef HAVE_SELINUX parser_leak_remove(LEAK_PTR, $$.type); free($$.type); $$.type = $2; -#endif } | options apparmor_profilespec { -#ifdef HAVE_APPARMOR parser_leak_remove(LEAK_PTR, $$.apparmor_profile); free($$.apparmor_profile); $$.apparmor_profile = $2; -#endif } | options privsspec { -#ifdef HAVE_PRIV_SET parser_leak_remove(LEAK_PTR, $$.privs); free($$.privs); $$.privs = $2; -#endif } | options limitprivsspec { -#ifdef HAVE_PRIV_SET parser_leak_remove(LEAK_PTR, $$.limitprivs); free($$.limitprivs); $$.limitprivs = $2; -#endif } ; @@ -1593,7 +1571,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->runchroot != next->runchroot)) { free(cs->runchroot); } -#ifdef HAVE_SELINUX /* Don't free root/type that are in use by other entries. */ if ((prev == NULL || cs->role != prev->role) && (next == NULL || cs->role != next->role)) { @@ -1603,8 +1580,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->type != next->type)) { free(cs->type); } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_PRIV_SET /* Don't free privs/limitprivs that are in use by other entries. */ if ((prev == NULL || cs->privs != prev->privs) && (next == NULL || cs->privs != next->privs)) { @@ -1614,7 +1589,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl) (next == NULL || cs->limitprivs != next->limitprivs)) { free(cs->limitprivs); } -#endif /* HAVE_PRIV_SET */ /* Don't free user/group lists that are in use by other entries. */ if (cs->runasuserlist != NULL) { if ((prev == NULL || cs->runasuserlist != prev->runasuserlist) && @@ -1641,15 +1615,9 @@ free_cmndspecs(struct cmndspec_list *csl) { struct member_list *runasuserlist = NULL, *runasgrouplist = NULL; char *runcwd = NULL, *runchroot = NULL; -#ifdef HAVE_SELINUX char *role = NULL, *type = NULL; -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR char *apparmor_profile = NULL; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET char *privs = NULL, *limitprivs = NULL; -#endif /* HAVE_PRIV_SET */ struct cmndspec *cs; debug_decl(free_cmndspecs, SUDOERS_DEBUG_PARSER); @@ -1665,7 +1633,6 @@ free_cmndspecs(struct cmndspec_list *csl) runchroot = cs->runchroot; free(cs->runchroot); } -#ifdef HAVE_SELINUX /* Only free the first instance of a role/type. */ if (cs->role != role) { role = cs->role; @@ -1675,15 +1642,11 @@ free_cmndspecs(struct cmndspec_list *csl) type = cs->type; free(cs->type); } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* Only free the first instance of apparmor_profile. */ if (cs->apparmor_profile != apparmor_profile) { apparmor_profile = cs->apparmor_profile; free(cs->apparmor_profile); } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET /* Only free the first instance of privs/limitprivs. */ if (cs->privs != privs) { privs = cs->privs; @@ -1693,7 +1656,6 @@ free_cmndspecs(struct cmndspec_list *csl) limitprivs = cs->limitprivs; free(cs->limitprivs); } -#endif /* HAVE_PRIV_SET */ /* Only free the first instance of runas user/group lists. */ if (cs->runasuserlist && cs->runasuserlist != runasuserlist) { runasuserlist = cs->runasuserlist; @@ -1879,17 +1841,11 @@ init_options(struct command_options *opts) opts->timeout = UNSPEC; opts->runchroot = NULL; opts->runcwd = NULL; -#ifdef HAVE_SELINUX opts->role = NULL; opts->type = NULL; -#endif -#ifdef HAVE_PRIV_SET + opts->apparmor_profile = NULL; opts->privs = NULL; opts->limitprivs = NULL; -#endif -#ifdef HAVE_APPARMOR - opts->apparmor_profile = NULL; -#endif } uid_t diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c index c7b36a8f37..8eaed2f2d8 100644 --- a/plugins/sudoers/ldap_util.c +++ b/plugins/sudoers/ldap_util.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2013, 2016, 2018-2018 Todd C. Miller + * Copyright (c) 2013, 2016, 2018-2024 Todd C. Miller * * This code is derived from software contributed by Aaron Spangler. * @@ -439,17 +439,11 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, cmndspec->timeout = prev_cmndspec->timeout; cmndspec->runchroot = prev_cmndspec->runchroot; cmndspec->runcwd = prev_cmndspec->runcwd; -#ifdef HAVE_SELINUX cmndspec->role = prev_cmndspec->role; cmndspec->type = prev_cmndspec->type; -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR cmndspec->apparmor_profile = prev_cmndspec->apparmor_profile; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET cmndspec->privs = prev_cmndspec->privs; cmndspec->limitprivs = prev_cmndspec->limitprivs; -#endif /* HAVE_PRIV_SET */ cmndspec->tags = prev_cmndspec->tags; if (cmndspec->tags.setenv == IMPLIED) cmndspec->tags.setenv = UNSPEC; @@ -519,7 +513,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, } if ((cmndspec->runcwd = strdup(val)) == NULL) break; -#ifdef HAVE_SELINUX } else if (strcmp(var, "role") == 0 && val != NULL) { if (cmndspec->role != NULL) { free(cmndspec->role); @@ -536,8 +529,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, } if ((cmndspec->type = strdup(val)) == NULL) break; -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR } else if (strcmp(var, "apparmor_profile") == 0 && val != NULL) { if (cmndspec->apparmor_profile != NULL) { free(cmndspec->apparmor_profile); @@ -546,8 +537,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, } if ((cmndspec->apparmor_profile = strdup(val)) == NULL) break; -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET } else if (strcmp(var, "privs") == 0 && val != NULL) { if (cmndspec->privs != NULL) { free(cmndspec->privs); @@ -564,7 +553,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, } if ((cmndspec->limitprivs = strdup(val)) == NULL) break; -#endif /* HAVE_PRIV_SET */ } else if (store_options) { if (!append_default(var, val, op, source, &priv->defaults)) { diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c index 2c0a9e62d2..7f0af2849e 100644 --- a/plugins/sudoers/lookup.c +++ b/plugins/sudoers/lookup.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller + * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -322,7 +322,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs) debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER); if (cs != NULL) { -#ifdef HAVE_SELINUX /* Set role and type if not specified on command line. */ if (ctx->runas.role == NULL) { if (cs->role != NULL) { @@ -358,8 +357,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs) "ctx->runas.type -> %s", ctx->runas.type); } } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR /* Set AppArmor profile, if specified */ if (cs->apparmor_profile != NULL) { ctx->runas.apparmor_profile = strdup(cs->apparmor_profile); @@ -376,8 +373,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "ctx->runas.apparmor_profile -> %s", ctx->runas.apparmor_profile); } -#endif -#ifdef HAVE_PRIV_SET /* Set Solaris privilege sets */ if (ctx->runas.privs == NULL) { if (cs->privs != NULL) { @@ -413,7 +408,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs) "ctx->runas.limitprivs -> %s", ctx->runas.limitprivs); } } -#endif /* HAVE_PRIV_SET */ if (cs->timeout > 0) { def_command_timeout = cs->timeout; sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index c7d9b57e67..2c6d8660ad 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2000, 2004, 2007-2023 + * Copyright (c) 1996, 1998-2000, 2004, 2007-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -159,15 +159,9 @@ struct command_options { int timeout; /* command timeout */ char *runcwd; /* working directory */ char *runchroot; /* root directory */ -#ifdef HAVE_SELINUX char *role, *type; /* SELinux role and type */ -#endif -#ifdef HAVE_APPARMOR char *apparmor_profile; /* AppArmor profile */ -#endif -#ifdef HAVE_PRIV_SET char *privs, *limitprivs; /* Solaris privilege sets */ -#endif }; /* @@ -246,15 +240,9 @@ struct cmndspec { time_t notafter; /* time restriction */ char *runcwd; /* working directory */ char *runchroot; /* root directory */ -#ifdef HAVE_SELINUX char *role, *type; /* SELinux role and type */ -#endif -#ifdef HAVE_APPARMOR char *apparmor_profile; /* AppArmor profile */ -#endif -#ifdef HAVE_PRIV_SET char *privs, *limitprivs; /* Solaris privilege sets */ -#endif }; /* diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index ec16826394..fe92e12c1d 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2010-2023 Todd C. Miller + * Copyright (c) 2010-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -317,7 +317,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, goto bad; continue; } -#ifdef HAVE_SELINUX if (MATCHES(*cur, "selinux_role=")) { CHECK(*cur, "selinux_role="); free(ctx->runas.role); @@ -334,8 +333,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, goto oom; continue; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR if (MATCHES(*cur, "apparmor_profile=")) { CHECK(*cur, "apparmor_profile="); free(ctx->runas.apparmor_profile); @@ -344,7 +341,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, goto oom; continue; } -#endif /* HAVE_APPARMOR */ #ifdef HAVE_BSD_AUTH_H if (MATCHES(*cur, "bsdauth_type=")) { CHECK(*cur, "bsdauth_type="); @@ -1040,7 +1036,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted, goto oom; } #endif /* HAVE_LOGIN_CAP_H */ -#ifdef HAVE_SELINUX if (def_selinux && ctx->runas.role != NULL) { if ((command_info[info_len++] = sudo_new_key_val("selinux_role", ctx->runas.role)) == NULL) goto oom; @@ -1049,14 +1044,10 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted, if ((command_info[info_len++] = sudo_new_key_val("selinux_type", ctx->runas.type)) == NULL) goto oom; } -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR - if (ctx->runas.apparmor_profile != NULL) { - if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx->runas.apparmor_profile)) == NULL) - goto oom; - } -#endif /* HAVE_APPARMOR */ -#ifdef HAVE_PRIV_SET + if (ctx->runas.apparmor_profile != NULL) { + if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx->runas.apparmor_profile)) == NULL) + goto oom; + } if (ctx->runas.privs != NULL) { if ((command_info[info_len++] = sudo_new_key_val("runas_privs", ctx->runas.privs)) == NULL) goto oom; @@ -1065,7 +1056,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted, if ((command_info[info_len++] = sudo_new_key_val("runas_limitprivs", ctx->runas.limitprivs)) == NULL) goto oom; } -#endif /* HAVE_PRIV_SET */ /* Set command start time (monotonic) for the first accepted command. */ if (accepted && !ISSET(ctx->mode, MODE_POLICY_INTERCEPTED)) { diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index e7ad7d2548..93c77667cb 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1993-1996, 1998-2005, 2007-2023 + * Copyright (c) 1993-1996, 1998-2005, 2007-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -174,17 +174,11 @@ struct sudoers_runas_context { char *host; char *shost; char *user; -#ifdef HAVE_SELINUX char *role; char *type; -#endif -#ifdef HAVE_APPARMOR char *apparmor_profile; -#endif -#ifdef HAVE_PRIV_SET char *privs; char *limitprivs; -#endif }; /* diff --git a/plugins/sudoers/sudoers_ctx_free.c b/plugins/sudoers/sudoers_ctx_free.c index b9c5af6092..1f299551a1 100644 --- a/plugins/sudoers/sudoers_ctx_free.c +++ b/plugins/sudoers/sudoers_ctx_free.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2023 Todd C. Miller + * Copyright (c) 2023-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -73,17 +73,11 @@ sudoers_ctx_free(struct sudoers_context *ctx) if (ctx->runas.shost != ctx->runas.host) free(ctx->runas.shost); free(ctx->runas.host); -#ifdef HAVE_SELINUX free(ctx->runas.role); free(ctx->runas.type); -#endif -#ifdef HAVE_APPARMOR free(ctx->runas.apparmor_profile); -#endif -#ifdef HAVE_PRIV_SET free(ctx->runas.privs); free(ctx->runas.limitprivs); -#endif /* Free dynamic contents of ctx. */ free(ctx->source); diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c index a60f6322ec..3853af6450 100644 --- a/plugins/sudoers/toke.c +++ b/plugins/sudoers/toke.c @@ -3262,7 +3262,7 @@ char *yytext; /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2005, 2007-2023 + * Copyright (c) 1996, 1998-2005, 2007-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -4359,67 +4359,46 @@ case 59: YY_RULE_SETUP #line 660 "toke.l" { -#ifdef HAVE_SELINUX LEXTRACE("ROLE "); return ROLE; -#else - goto got_alias; -#endif } YY_BREAK case 60: YY_RULE_SETUP -#line 669 "toke.l" +#line 665 "toke.l" { -#ifdef HAVE_SELINUX LEXTRACE("TYPE "); return TYPE; -#else - goto got_alias; -#endif } YY_BREAK case 61: YY_RULE_SETUP -#line 677 "toke.l" +#line 669 "toke.l" { -#ifdef HAVE_APPARMOR LEXTRACE("APPARMOR_PROFILE "); return APPARMOR_PROFILE; -#else - goto got_alias; -#endif } YY_BREAK case 62: YY_RULE_SETUP -#line 685 "toke.l" +#line 673 "toke.l" { -#ifdef HAVE_PRIV_SET LEXTRACE("PRIVS "); return PRIVS; -#else - goto got_alias; -#endif } YY_BREAK case 63: YY_RULE_SETUP -#line 694 "toke.l" +#line 678 "toke.l" { -#ifdef HAVE_PRIV_SET LEXTRACE("LIMITPRIVS "); return LIMITPRIVS; -#else - goto got_alias; -#endif } YY_BREAK case 64: YY_RULE_SETUP -#line 703 "toke.l" +#line 683 "toke.l" { - got_alias: if (!fill(sudoerstext, sudoersleng)) yyterminate(); LEXTRACE("ALIAS "); @@ -4428,7 +4407,7 @@ YY_RULE_SETUP YY_BREAK case 65: YY_RULE_SETUP -#line 711 "toke.l" +#line 690 "toke.l" { /* XXX - no way to specify digest for command */ /* no command args allowed for Defaults!/path */ @@ -4440,7 +4419,7 @@ YY_RULE_SETUP YY_BREAK case 66: YY_RULE_SETUP -#line 720 "toke.l" +#line 699 "toke.l" { digest_type = SUDO_DIGEST_SHA224; BEGIN WANTDIGEST; @@ -4450,7 +4429,7 @@ YY_RULE_SETUP YY_BREAK case 67: YY_RULE_SETUP -#line 727 "toke.l" +#line 706 "toke.l" { digest_type = SUDO_DIGEST_SHA256; BEGIN WANTDIGEST; @@ -4460,7 +4439,7 @@ YY_RULE_SETUP YY_BREAK case 68: YY_RULE_SETUP -#line 734 "toke.l" +#line 713 "toke.l" { digest_type = SUDO_DIGEST_SHA384; BEGIN WANTDIGEST; @@ -4470,7 +4449,7 @@ YY_RULE_SETUP YY_BREAK case 69: YY_RULE_SETUP -#line 741 "toke.l" +#line 720 "toke.l" { digest_type = SUDO_DIGEST_SHA512; BEGIN WANTDIGEST; @@ -4480,7 +4459,7 @@ YY_RULE_SETUP YY_BREAK case 70: YY_RULE_SETUP -#line 748 "toke.l" +#line 727 "toke.l" { BEGIN GOTCMND; LEXTRACE("COMMAND "); @@ -4490,7 +4469,7 @@ YY_RULE_SETUP YY_BREAK case 71: YY_RULE_SETUP -#line 755 "toke.l" +#line 734 "toke.l" { BEGIN prev_state; if (!fill(sudoerstext, sudoersleng)) @@ -4501,7 +4480,7 @@ YY_RULE_SETUP YY_BREAK case 72: YY_RULE_SETUP -#line 763 "toke.l" +#line 742 "toke.l" { /* directories can't have args... */ if (sudoerstext[sudoersleng - 1] == '/') { @@ -4518,7 +4497,7 @@ YY_RULE_SETUP YY_BREAK case 73: YY_RULE_SETUP -#line 777 "toke.l" +#line 756 "toke.l" { if (sudoers_strict()) { if (!sudo_regex_compile(NULL, sudoerstext, &sudoers_errstr)) { @@ -4534,7 +4513,7 @@ YY_RULE_SETUP YY_BREAK case 74: YY_RULE_SETUP -#line 790 "toke.l" +#line 769 "toke.l" { LEXTRACE("BEGINSTR "); sudoerslval.string = NULL; @@ -4544,7 +4523,7 @@ YY_RULE_SETUP YY_BREAK case 75: YY_RULE_SETUP -#line 797 "toke.l" +#line 776 "toke.l" { /* a word */ if (!fill(sudoerstext, sudoersleng)) @@ -4556,7 +4535,7 @@ YY_RULE_SETUP case 76: YY_RULE_SETUP -#line 806 "toke.l" +#line 785 "toke.l" { /* include file/directory */ if (!fill(sudoerstext, sudoersleng)) @@ -4568,7 +4547,7 @@ YY_RULE_SETUP YY_BREAK case 77: YY_RULE_SETUP -#line 815 "toke.l" +#line 794 "toke.l" { LEXTRACE("BEGINSTR "); sudoerslval.string = NULL; @@ -4579,7 +4558,7 @@ YY_RULE_SETUP case 78: YY_RULE_SETUP -#line 823 "toke.l" +#line 802 "toke.l" { LEXTRACE("( "); return '('; @@ -4587,7 +4566,7 @@ YY_RULE_SETUP YY_BREAK case 79: YY_RULE_SETUP -#line 828 "toke.l" +#line 807 "toke.l" { LEXTRACE(") "); return ')'; @@ -4595,7 +4574,7 @@ YY_RULE_SETUP YY_BREAK case 80: YY_RULE_SETUP -#line 833 "toke.l" +#line 812 "toke.l" { LEXTRACE(", "); return ','; @@ -4603,7 +4582,7 @@ YY_RULE_SETUP YY_BREAK case 81: YY_RULE_SETUP -#line 838 "toke.l" +#line 817 "toke.l" { LEXTRACE("= "); return '='; @@ -4611,7 +4590,7 @@ YY_RULE_SETUP YY_BREAK case 82: YY_RULE_SETUP -#line 843 "toke.l" +#line 822 "toke.l" { LEXTRACE(": "); return ':'; @@ -4619,7 +4598,7 @@ YY_RULE_SETUP YY_BREAK case 83: YY_RULE_SETUP -#line 848 "toke.l" +#line 827 "toke.l" { if (sudoersleng & 1) { LEXTRACE("!"); @@ -4630,7 +4609,7 @@ YY_RULE_SETUP case 84: /* rule 84 can match eol */ YY_RULE_SETUP -#line 855 "toke.l" +#line 834 "toke.l" { if (YY_START == INSTR) { /* throw away old string */ @@ -4652,7 +4631,7 @@ YY_RULE_SETUP YY_BREAK case 85: YY_RULE_SETUP -#line 874 "toke.l" +#line 853 "toke.l" { /* throw away space/tabs */ sawspace = true; /* but remember for fill_args */ } @@ -4660,7 +4639,7 @@ YY_RULE_SETUP case 86: /* rule 86 can match eol */ YY_RULE_SETUP -#line 878 "toke.l" +#line 857 "toke.l" { sawspace = true; /* remember for fill_args */ sudolineno++; @@ -4670,7 +4649,7 @@ YY_RULE_SETUP case 87: /* rule 87 can match eol */ YY_RULE_SETUP -#line 884 "toke.l" +#line 863 "toke.l" { if (sudoerstext[sudoersleng - 1] == '\n') { /* comment ending in a newline */ @@ -4688,7 +4667,7 @@ YY_RULE_SETUP YY_BREAK case 88: YY_RULE_SETUP -#line 899 "toke.l" +#line 878 "toke.l" { LEXTRACE("NOMATCH "); return NOMATCH; @@ -4704,7 +4683,7 @@ case YY_STATE_EOF(INSTR): case YY_STATE_EOF(WANTDIGEST): case YY_STATE_EOF(GOTINC): case YY_STATE_EOF(EXPECTPATH): -#line 904 "toke.l" +#line 883 "toke.l" { if (!pop_include()) yyterminate(); @@ -4712,10 +4691,10 @@ case YY_STATE_EOF(EXPECTPATH): YY_BREAK case 89: YY_RULE_SETUP -#line 909 "toke.l" +#line 888 "toke.l" ECHO; YY_BREAK -#line 4713 "toke.c" +#line 4692 "toke.c" case YY_END_OF_BUFFER: { @@ -5684,7 +5663,7 @@ void yyfree (void * ptr ) #define YYTABLES_NAME "yytables" -#line 909 "toke.l" +#line 888 "toke.l" struct path_list { SLIST_ENTRY(path_list) entries; diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l index 1fa97491e0..315f420731 100644 --- a/plugins/sudoers/toke.l +++ b/plugins/sudoers/toke.l @@ -2,7 +2,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2005, 2007-2023 + * Copyright (c) 1996, 1998-2005, 2007-2024 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -658,50 +658,29 @@ ALL { } ROLE { -#ifdef HAVE_SELINUX LEXTRACE("ROLE "); return ROLE; -#else - goto got_alias; -#endif } TYPE { -#ifdef HAVE_SELINUX LEXTRACE("TYPE "); return TYPE; -#else - goto got_alias; -#endif } APPARMOR_PROFILE { -#ifdef HAVE_APPARMOR LEXTRACE("APPARMOR_PROFILE "); return APPARMOR_PROFILE; -#else - goto got_alias; -#endif } PRIVS { -#ifdef HAVE_PRIV_SET LEXTRACE("PRIVS "); return PRIVS; -#else - goto got_alias; -#endif } LIMITPRIVS { -#ifdef HAVE_PRIV_SET LEXTRACE("LIMITPRIVS "); return LIMITPRIVS; -#else - goto got_alias; -#endif } [[:upper:]][[:upper:][:digit:]_]* { - got_alias: if (!fill(sudoerstext, sudoersleng)) yyterminate(); LEXTRACE("ALIAS ");